DigiNotar hacker threatens to expand spy attacks using stolen certificates

Continues to claim he's acting alone, but some aren't buying that

The hacker with links to several breaches of SSL certificate-issuing networks this year admitted sharing stolen certificates with others in Iran, and threatened to extend future spy-style attacks to computer users in the U.S., Europe and Israel.

"I'll own as more as gateways in Israel, USA, Europe, as more as ISPs and attack will run there," the hacker said in a long, rambling statement today written in sometimes-fractured English.

Comodohacker, as he calls himself, also made new claims, saying that he stole sensitive data, including customer information, from two other certificate authorities, or CAs, the term for organizations of companies allowed to issue SSL (secure socket layer) certificates.

On Thursday, Comodohacker said he had penetrated the networks of StartCom, an Israeli CA, and U.S.-based GlobalSign.

"I have ALL emails, database backups, customer data which I'll publish all via cryptome in near future," Comodohacker said of StartCom, then about GlobalSign added, "I have access to their entire server, got [database] backups ... I even have private key of their OWN globalsign.com domain."

Comodohacker has previously taken credit for both the Comodo hack in March and the more recent intrusion of DigiNotar. In both cases, he was able to generate unauthorized SSL (secure socket layer) certificates.

DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website's identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said hackers had acquired 531 certificates, including many used by the Dutch government.

Comodohacker also provided details on the DigiNotar hack, saying that he had penetrated the Dutch company's network even though it was protected by a hardware security module, or HSM, and supposedly safeguarded by token-management systems provided by RSA and Thale.

RSA made the news last March when it acknowledged a hack that let attackers steal information related to its SecurID token system. A later hack of Lockheed Martin, one of the U.S.'s largest military contractors, was blamed on the SecurID fiasco .

Because almost all the people affected by the DigiNotar attack were from Iran, many experts suspect that the hack was sponsored or encouraged by the Iranian government, which wanted them to spy on its citizens .

Comodohacker denied that today, but admitted he had shared the stolen Google certificate with others. "I'm the only hacker, just I have shared some certs with some people in Iran, that's all," he asserted.

Eddy Nigg, the chief technology officer of StartCom, one of the two companies Comodohacker singled out today, wasn't buying it.

"I believe the hacker(s) are not directly related to Iran in any way, but simply criminals getting paid for every targeted certificate," said Nigg in an email reply to questions. "But the attacker or attackers is most likely not Iranian nor a student nor 21 years old. Evidence we have highly suggests that."

To conduct "man-in-the-middle" attacks using fraudulent certificates, an attacker must plant malware on individual computers, compromise the domain name system (DNS) servers at one or more Internet service providers (ISP), have the assistance of ISPs or the cooperation of a government that controls the Internet within its borders, as does Iran.

Reaction to Comodohacker's new claims was swift from GlobalSign and StartCom.

"The GlobalSign CA root was created offline, and always has been offline," said GlobalSign in a statement. "Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA."

On Tuesday, GlobalSign suspended certificate sales and said it had launched an investigation into Comodohacker's claims. A day later, the New Hampshire company said it had hired Fox-IT, the forensics firm that is still digging into the DigiNotar hack for the Dutch government, to investigate.

Earlier today, GlobalSign also called the hacks "an industry-wide threat" because they have been aimed at multiple CAs.

Nigg agreed. "That appears to be the case," said Nigg. "We didn't know at that time...[but now] it's apparent."

Nigg would not confirm or deny Comodohacker's claims of stealing data and customer information from StartCom, but said a June attack against its network did not result in any bogus certificates being let loose.

At the time, StartCom acknowledged the attack and suspended sales of certificates. It re-opened sales a week later.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityMalware and Vulnerabilities

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts